Network Monitoring with Ethereal
We all hope that our networks simply do what they are supposed to do, but often that is not the case. Two systems that should talk to each other don't; a network becomes saturated with traffic for no apparent reason; you need to know what some non-Linux device is doing. In these and other networking situations, Ethereal may be the tool that saves the day.
A few years ago I set up a a wireless link for a project. It was relatively slow--a real data throughput of around 300Kbps--but it easily should have handled the system's traffic. It should have, but in reality, the network seemed saturated much of the time. On paper, everything was fine. The link capacity was significantly more than the traffic--but that was on paper.
The switch talking to the master radio did have a lot of blinking lights, but watching blinking lights to measure traffic is about as accurate as using your tongue as a battery tester. Starting up Ethereal, however, quickly identified the problem. A whole bunch of computers running some other operating system were sending broadcast packets over the network for such exciting events as a computer being turned on or the paper supply in a printer becoming low.
Once I had the problem identified, it was easy to correct. I simply moved the radio traffic to a subnet away from the chatty operating system, and performance was fine.
Ethereal's man page offers this synopsis of what the program does: "Interactively browse network traffic". My use of Ethereal described above occurred in real time, but Ethereal uses the same file format as tcpdump. Therefore, you can use Ethereal to analyze an old dump file. Besides this libpcap format, Ethereal can read many other dump formats, including those from capture tools used on other operating systems--even the chatty ones.
As with virtually all protocol analyzers, Ethereal shows you a summary line for a packet and a hex dump. It also gives you the ability to drill down through the protocol tree. In addition, you can define filters to select and display specifically the data you are interested in. In short, Ethereal offers quite a few command-line options. Unless you want to plant Ethereal in a script, though, it is easier to set it up interactively to do what you want.
A word of warning: if you are monitoring live traffic for a system other than the one Ethereal is running on, make sure you are connecting to it at a point where you can see the traffic. Ethereal sets your local Ethernet interface to promiscuous mode, which means it sees all the traffic. If, however, your system is connected to an Ethernet switch, only the traffic for your system appears and is analyzed. You may need to "splice in" to the place you want to monitor using a hub.
Besides basic monitoring, Ethereal offers a lot of analyzing options. In my example at the start of this article, I could have used a filter to pull out the expected traffic. For example, adding tcp.port != 80 to the filter window and clicking the Apply button would have excluded any port 80 (HTTP) traffic from the display.
The Colorize Display option is handy as well. Select Colorize Display from the Display menu, and Ethereal guides you through the setup. The steps are simple:
You name your new entry and enter an expression. For example, ip.addr == 184.108.40.206 would select any packets whose "from" or "to" IP address is equal to 220.127.116.11. Don't worry, you don't have to memorize all of these choices; the Add Expression button offers a list of all the options.
Select a background color for the new rule.
Select a foreground color for the new rule.
Click Save if you want Ethereal to remember your rules.
That's all there is to it. If you are displaying in real time, you will see the packets appear in color immediately. If you don't like a rule, simply go back and edit it in the same menu.
Copyright (c) 2004, Dean Wilson. Originally published in Linux Gazette issue 98. Copyright (c) 2004, Specialized Systems Consultants, Inc.
Dean Wilson is a system administrator and occasional updater of his Web pages.
|Secure Server Deployments in Hostile Territory, Part II||Jul 29, 2015|
|Hacking a Safe with Bash||Jul 28, 2015|
|KDE Reveals Plasma Mobile||Jul 28, 2015|
|Huge Package Overhaul for Debian and Ubuntu||Jul 23, 2015|
|diff -u: What's New in Kernel Development||Jul 22, 2015|
|Shashlik - a Tasty New Android Simulator||Jul 21, 2015|
- Secure Server Deployments in Hostile Territory, Part II
- Hacking a Safe with Bash
- KDE Reveals Plasma Mobile
- Huge Package Overhaul for Debian and Ubuntu
- The Controversy Behind Canonical's Intellectual Property Policy
- Home Automation with Raspberry Pi
- Shashlik - a Tasty New Android Simulator
- Embed Linux in Monitoring and Control Systems
- diff -u: What's New in Kernel Development
- General Relativity in Python